11 March 2026 · Last reviewed 18 February 2026
PECR Consent Records: What to Keep, How Long, and Where to Store Them
If the ICO writes to you tomorrow asking for evidence that your subscribers agreed to receive marketing emails, what exactly would you hand over?
Most UK businesses know they need consent under PECR. Far fewer know what records to keep and for how long. The regulations don't spell it out — but the ICO's enforcement actions make the expectations clear.
What the ICO expects you to keep
PECR Regulation 22 places the burden of proof on the sender. You must demonstrate that each recipient gave valid consent — or that the soft opt-in exception applies. "We had a form" is not evidence. "Here is the form, here is when they submitted it, and here is what it said" is.
Based on the ICO's direct marketing guidance and recent PECR enforcement actions, these are the core elements:
1. The exact consent wording
Not a summary. The precise text displayed when they opted in. If your form said "Receive weekly tips on running gear and exclusive offers from RunShop Ltd via email" in January 2025, that is what you need on file — even if you rewrote the text six months later.
Each time the wording changes, archive the old version with the dates it was live.
2. Timestamp
The ICO expects a date and time — not "sometime in Q2." Your email platform records a subscription date, but that alone is not a consent record without the rest of the evidence below.
3. Source and collection method
A web form, a paper form at a trade show, a verbal opt-in on a sales call? The evidence standard differs by method. A web form can be archived with a screenshot and URL. A verbal opt-in needs a call recording or written note.
4. Opt-out records
When someone unsubscribes, record when the request was made, when it was actioned, and that the person was suppressed. If someone tells the ICO they unsubscribed but kept receiving emails, your suppression log is your defence.
5. Third-party provenance
If you acquired contacts from a data broker or lead generation partner, the ICO expects evidence of the original consent those contacts gave — not yours, but what the third party collected. That means the exact wording, mechanism, and timestamp from the supplier, plus confirmation that your organisation was named. Our guide on third-party data and PECR consent covers this in detail.
What to record for each consent type
The records you need depend on the consent basis you rely on.
Explicit opt-in
| Record element | What to store |
|---|---|
| Consent wording version | Exact text shown, with date range it was live |
| Timestamp | Date and time the subscriber opted in |
| Collection source | URL, form name, or physical location |
| Collection method | Web form, paper form, telephone, in-person |
| Checkbox state | Confirmation the box was unticked by default |
| IP address or device ID | Where available, as supporting evidence |
| Double opt-in confirmation | If used, the confirmation email timestamp |
Soft opt-in
| Record element | What to store |
|---|---|
| Original transaction | What was purchased (or negotiated) and when |
| Transaction evidence | Order ID, invoice, CRM record |
| Opt-out at collection | Screenshot of the opt-out mechanism shown at point of sale |
| Product/service similarity | Link between marketing content and original purchase category |
| Ongoing opt-out | Confirmation that every email includes a working unsubscribe link |
For a full breakdown of the four soft opt-in conditions, see how the soft opt-in actually works.
Third-party data
| Record element | What to store |
|---|---|
| Data supplier identity | Company name, ICO registration number, contract reference |
| Original consent wording | Exact text the subscriber saw when the third party collected their data |
| Your organisation named | Confirmation wording specifically identified your company |
| Collection date range | When the third party collected the data |
| Due diligence records | Checks you performed on the supplier's consent practices |
| Data transfer agreement | The contract governing the data share |
If any row in that table is blank, you have a gap the ICO will find. The PECR compliance checker flags third-party data risk as part of its assessment.
How long to keep consent records
PECR does not specify a fixed retention period. Two principles guide what you should do.
Retain consent evidence for as long as you rely on it. If you are sending someone marketing emails based on consent they gave in 2023, hold that record for as long as they remain on your list.
GDPR storage limitation applies to consent records themselves. Consent records contain personal data. Under the UK GDPR's storage limitation principle (Article 5(1)(e)), personal data should not be kept longer than necessary. Once someone unsubscribes and the limitation period for potential claims has passed, indefinite storage may itself become a problem.
Practical retention periods
- Active subscribers: Retain the full consent record for as long as they are on your list.
- Unsubscribed contacts: Retain consent and opt-out records for six years after unsubscription, aligning with the limitation period under the Limitation Act 1980.
- Third-party data records: Retain provenance and due diligence records for the same period.
- Consent wording versions: Retain for as long as any subscriber who signed up under that version remains active.
Document your retention periods in a written policy. The ICO looks favourably on organisations that have thought this through.
Where to store consent records
Your email platform is not a consent records system. Mailchimp, HubSpot, and similar tools record subscription dates, but they don't archive consent wording versions or link subscribers to the form text they saw.
Common approaches:
- Spreadsheet + screenshot folder. Workable for very small lists. Falls apart past a few hundred contacts.
- CRM with custom fields. Better — you can attach consent metadata to individual records. Requires manual discipline.
- Dedicated consent management. Purpose-built tools that connect to your ESP and document the consent chain automatically. This is the gap ConsentTrail is built to fill. Join the waitlist to get notified at launch.
Whatever you choose, records must be retrievable per individual. The ICO asks "show us the consent record for this specific person" — not "show us your general process."
Where to start
First, screenshot every consent collection point on your website and save them with today's date. Use the consent wording checker to verify the language meets PECR requirements.
Second, pick five subscribers at random and try to reconstruct their full consent record. If you cannot, that tells you where your gaps are.
For a full walkthrough, the PECR compliance checklist for 2026 covers all 15 items. If you use Mailchimp, our guide on auditing Mailchimp for PECR compliance addresses the specific gaps in that platform's records.
Consent records are not a box-ticking exercise. They are the evidence that stands between your business and an ICO fine. The organisations that get penalised are not always acting in bad faith — they just cannot produce the paperwork.